Cyber Risk News
Microsoft patched 59 vulnerabilities yesterday, releasing one advisory for Windows 10 Servicing Stack.
Of the 59 vulnerabilities patched, nine are classified as “critical.” There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.
Jimmy Graham, senior director of product management at Qualys, said that alongside these patches, a Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. “If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized,” he said.
Satnam Narang, senior research engineer at Tenable, said: “Two more vulnerabilities in Remote Desktop were patched this month. CVE-2019-1333 is a remote code execution vulnerability in Remote Desktop Client which requires an attacker to convince a user to connect to a malicious server using the Remote Desktop Protocol (RDP), or compromise an existing server and host malicious code on it, while waiting for vulnerable clients to connect.
“CVE-2019-1326 is a denial of service flaw in RDP that would allow an attacker to exploit it by connecting to the server and sending specially crafted requests, causing the RDP service on the vulnerable server to stop responding.
"There is also a pair of Win32k elevation of privilege vulnerabilities (CVE-2019-1362, CVE-2019-1364) caused by a failure in how the Windows kernel-mode driver handles objects in memory. These vulnerabilities require an attacker to have previously compromised a system before they can elevate privileges. Both vulnerabilities affect Windows Server 2008 and Windows 7, which will no longer receive security updates after January 14, 2020."
Preparing for data breach response should involve practising with third parties, and repeating the processes.
He said that reputation is fundamentally based on two things: what you do; and what you say, also consider how you perform. “If you don’t do everything you can, you’re losing the ability to influence in the first place,” he said. “In terms of how you plan and how you prepare, your role and influence becomes incredibly important and brand and reputation means a lot more than you think it does.”
He recommended having in place the following steps, as “no matter how good you get it, you will never be famous for doing it well, but you will be infamous for doing it badly.” These were;
- Communications – How do you get out ahead of social media, and don’t develop messages on the fly
- Speed – This is of the essence, as if you don’t respond quickly, you will be behind the message and the press
- Capacity and Capability – You have capability designed and sized to support ‘business as usual’ so consider how manage that and support those customers who are affected
- Identity Protection and Repair – Your insurance will cover this, but only 10-20% of customers will take this opportunity up, so consider if it is an effective means of protecting customers?
- Professional Expertise – Whether it is a law firm, crisis communications or a claim team, it is important to have professional entities of people who have been through the process before
Whitehead said breach response preparation was a classic case of “make friends before you need them” in the event of a crisis. Pointing at the Information Commissioner’s Office, he said that it is clear in the guidance from the EU to the supervisory authorities' 11 criteria to assess organizations with after a data breach, and whether a fine is relevant, and what the size of the fine should be.
One point states that “any action taken by a controller to mitigate the damage suffered by data subjects” should be considered, and of the 11 criteria, “this is the only one to talk duty of care to data subjects.”
Whitehead said that, if you have exercised duty of care, you may or may not get a fine. “So worry about duty of care and your customers; not just because from a brand and reputation perspective, as if you don’t look after them they will go elsewhere,” he said. “But you should also worry about your duty of care as it is the tipping point for the supervisory authorities to decide on the size of the fine.”
A new report by email and data security company Mimecast has revealed a staggering increase in the number of Business Email Compromise (BEC) cyber-attacks.
The quarterly Email Security Risk Assessment (ESRA) report, released today, found a 269% increase in the number of BEC attacks in quarter two of 2019, compared to the first quarter of the year.
BEC attacks are sophisticated scams that typically target businesses working with foreign suppliers and businesses that regularly perform wire-transfer payments. Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorized funds transfers.
According to the FBI, there are five main types of BEC scams, all of which allow threat actors to commit email-based impersonation fraud using methods that evade many traditional email security systems.
The Bogus Invoice Scheme involves an attacker impersonating a company's supplier and requesting funds transfers to the attacker's bank account in payment of services rendered. An attacker committing CEO Fraud will pose as one of the company's most senior executives and send an email to the finance department requesting that money be transferred to an account they control.
If the attack is an Account Compromise, an executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
A Data Theft BEC attack targets employees in the HR and finance departments to fraudulently obtain personally identifiable information (PII) or tax statements of employees and executives, which can be sold on the dark web or used for future attacks.
Finally, threat actors can launch an Attorney Impersonation BEC attack, in which they pretend to be a lawyer or someone from a law firm in order to access confidential information.
A further finding of the ESRA report is that 28,783,892 spam emails, 28,808 malware attachments, and 28,726 dangerous files types were all missed by incumbent providers and delivered to users’ inboxes.
The sharp rise in BEC attacks identified by the report echoes the findings of the State of Email Security 2019 report, which revealed that 85% of the 1,025 global respondents experienced an impersonation attack in 2018, with 73% of those victims having experienced a direct business impact, like financial, data, or customer loss.
An industry initiative to allow data sharing and interoperability in the cybersecurity sector has won the support of 18 vendors.
The Open Cybersecurity Alliance (OCA), created by international consortium OASIS, will unite end users and organizations in an open cybersecurity ecosystem where products can share information, insights, orchestrated responses, and analytics.
The OCA will strive to increase the cybersecurity value of existing products and discover new security insights by supporting commonly developed code and tooling and encouraging practices for interoperability and sharing data among cybersecurity tools.
A key aim of the OCA will be to make it easier for different cybersecurity technologies to work together across the entire lifecycle of a threat.
In a statement issued earlier today, the OCA wrote: "According to industry analyst firm, Enterprise Strategy Group, organizations use 25 to 49 different security tools from up to 10 vendors on average, each of which generates siloed data.
"Connecting these tools and data requires complex integrations, taking away from time that could be spent hunting and responding to threats. To accelerate and optimize security for enterprise users, the OCA will develop protocols and standards which enable tools to work together and share information across vendors."
The alliance was spearheaded by IBM Security and McAfee and quickly attracted the support of Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.
At OCA's heart will be two technologies developed by its founding members. The first is McAfee's cybersecurity messaging format OpenDXL Standard Ontology. The second is STIX-Shifter, a search capability for all types of security products based on an IBM open source library. This useful tool can identify information in data repositories that relates to potential threats, pop it into a usable format, and share it with any enabled security tool.
"Attackers maximize damage by sharing data with one another. Our best defense strategy is to share data too," said D.J. Long, vice president of business development at McAfee.
"Organizations will be able to seamlessly exchange data between products and tools from any provider that adopts the OCA project deliverables. We’re looking at the potential for unprecedented real-time security intelligence."
Researchers at the University of Arizona are developing a fresh approach to cybersecurity modeled on the human central nervous system.
The new method, which is being created as part of the Partnership for Proactive Cybersecurity Training project, will aim to detect and neutralize cyber-threats in their earliest stages before they have a chance to do any serious damage.
Inspiration for the project came from human biological responses; for example, how the body's immune system fights a virus and how a person will instinctively pull their fingers away from a burning hot surface before their brain has even received the message that the body is at risk of harm.
"I felt we could learn about how the body protects us by reacting to threats and maybe apply it to cyber by building a 'cyber immune system,'" said Salim Hariri, UA electrical and computer engineering professor and the project's principal investigator.
"We're trying to build these abilities where, when somebody attacks your computer, these measures can detect the attack and act on it before you're even aware something is compromised."
In contrast with security methods that deal with cyber-threats in a reactive way, the new system being constructed is being designed to function proactively. The plan is to use artificial intelligence and machine learning to train machines to recognize cyber-threats on their own, as a doctor might recognize diseases from their symptoms.
To stop the threats before they infect a network or device, researchers will also teach the machines how to recognize threats as they evolve and how to execute a wide range of cures. With an encyclopedia of remedies at their disposal, the machines will be able to search for the one that is most appropriate and automatically apply it to the threat.
"An attacker can reach hundreds of thousands of devices in a fraction of a second, so we need our ability to detect threats and protect a system to work just as quickly," said Hariri.
The National Nuclear Security Administration's Minority Serving Institution Partnership Program has awarded the project a $3 million grant to be paid over a three-year period. Under the terms of the grant, researchers will train students, especially underrepresented minorities, from the University of Arizona, Howard University, and Navajo Technical University as they work to develop new cybersecurity techniques.
Don’t treat cyber-risk any differently to any other risk to your business, as engagement with senior management continues to be a challenge.
Speaking at the ATM & Cybersecurity 2019 conference in London, Nina Paine, global head of cyber partnerships and government strategy, Standard Chartered (UK), discussed the need to keep senior management engaged when creating and maintaining a cybersecurity culture internally.
Paine said that with growing teams there is a “race to keep pace against cyber-criminals and cyber-threat actors” and this means that security teams “cannot do it alone and it is incredibly important that we share knowledge and insights and key learnings with partners across the world.”
Paine said that people ask if a cybersecurity culture can be driven from the “top down or bottom up” and she said that it is probably both as “the tone from the top and senior executive engagement is the key differentiator.” She also said that cyber-leaders are clear on the strategic implications that cyber-risks represent, and this may be about metrics that the business has put in place.
One tone to adopt for senior executives is to stress that “cybersecurity is tremendously important to our customers.” Therefore, cybersecurity has to be treated as a business risk, “as we know the consequences of not doing so are stark.”
Paine also said that cyber-risk should be “normalized as part of enterprise risk management as a whole.”
So how cybersecurity can be part of the wider business discussion? This needs to be done with a trickle down through the business, and not just by having a technical team in a separate room, Paine advised. She said that at Standard Chartered, cybersecurity is treated as a principal risk type, and this means it is subjected to enterprise-wide risk management rules.
She added: “Whether you have got that or not, you have got some principles to think about within each function around challenges and assurance that are absolutely vital to all firms.”
Paine recommended setting up a layered effort to enable better adoption of culture, and one thing firms have done is to set up a senior executives’ safe space “where there are not stupid questions and everybody is a human.” She said that this forum can allow increased understanding of risks, as we “cannot simply rely on small groups of technical experts to keep our organization safe.”
She acknowledged that employee awareness can “sound pink and fluffy,” but you can make it a hard skill set and discipline through automated platforms. She said that as Standard Chartered was automating its awareness, this will enable training and results and learning to be better collected, adding an element of gamification.
To conclude, she pointed out that “what gets measured gets done” and recommended introducing security measurement tools, as well as publishing test scores to divisional heads, as that can drive cultural change in a business.
“I’d like to reiterate that cybersecurity risk and its management is very much a shared responsibility, and everyone from the board to the front line has a critical role to play,” she said. “Whilst an organization’s risk culture does have formal risk policies in it, there is also a really important people side.”
Speaking at the ATM & Cybersecurity 2019 conference in London, detective superintendent Andrew Gould, National Cybercrime Programme Lead, National Police Chief’s Council, detailed common attackers, attack tactics and the most common ways to prevent them from happening.
Saying that the main attack groups were “no great surprise,” he highlighted the hostile states as having different motives but having “really invested in their capabilities” which he said was the main challenge, as “if a hostile state comes after you as an organization they are probably going to get you” unless you have significantly invested in your protection. “For most people though, that is probably not going to be a significant concern.”
However, a rising threat is from organized crime, which he said has involved a blurring between a hostile state and organized crime, whether it is being franchised or “tasked out,” while there are organized crime groups who do this as a way to make money.
What has also been a major concern over the last couple of years is “more and more high-level sovereign state tools leaked out.” He explained that these may have been the preserve of American intelligence agencies, but are now in the wild and “available for anyone to download and use as part of criminal enterprise.”
As well at attacks such as more DDoS and Business Email Compromise, Gould also said that “the most common type of cyber-dependent crime, where computers are attacking computers” and affecting organizations, is ransomware. While he admitted that detections and infections are down, the trend is towards more targeted ransomware, and recommended businesses protect and test backups.
In terms of sophistication, Gould said that attackers are getting better in how they are targeting organizations, as one in five “are successful with spray and pay” techniques. “Actually a lot of criminals are investing time and effort in their targets, and we make it easy for them by putting our personal information online,” he added.
Moving on to the role of the police, he acknowledged that the attitude of the police toward cybercrime has changed over time; “we know there are millions of offences committed in the country each year, but only 25-26,000 of those get reported to Action Fraud.”
However, that has improved, Gould said, “and now we've got teams dealing with cyber-dependent crime like ransomware in every force in England and Wales, when 18 months ago nothing existed.” He continued that every incident is investigated and every victim is advised “to stop them being a victim again.”
He concluded by highlighting the most common mistakes that businesses make in dealing with cyber-incidents, which were:
- No plan, nothing exercised
- Unmapped and poorly understood networks and endpoints
- Business negotiates with blackmailers
- Slow to ask for police help (if at all)
- Only communicate with police through lawyers
- Media messaging does not consider secondary fraud
- Ineffective back ups
Join our webinar on 24th October where we will be discussing advanced attackers, and how to defend against automated attacks - register here
The firms surveyed more than 3000 IT and IT security practitioners in Australia, Brazil, France, Germany, India, Japan, the UK and the US, discovering that whilst nearly half (48%) of all corporate data is stored in the cloud, only 32% of organizations believe protecting data in the cloud is their own responsibility.
What’s more, the study found that organizations consider cloud service providers to be the ones to bear the most responsibility for securing sensitive data in the cloud (35%), although just 23% of respondents said security was a factor to them when selecting a cloud service provider.
Furthermore, the research found that more than half (51%) of businesses and other organizations still do not use encryption or tokenization to protect sensitive data in the cloud, whilst 54% of respondents stated that cloud storage makes it more difficult to protect sensitive data.
“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Not knowing this information makes it essentially impossible to protect the most sensitive data – ultimately leaving these organizations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”
Tina Stewart, vice-president of market strategy for cloud protection and licensing activity at Thales, added: “This study shows that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security. Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process. It does not matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organization’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”
A health organization in New Zealand that was targeted in a global cyber-incident in August has uncovered evidence of earlier attacks dating back three years.
Tū Ora Compass Health took its server offline and strengthened its IT security following a cyber-attack on its website in August. On Saturday, the primary health organization (PHO) announced that an investigation by authorities, including the police, Ministry of Health, and the National Cyber Security Centre, has found evidence of multiple earlier attacks dating from 2016 to early 2019.
Martin Hefford, chief executive officer of Tū Ora Compass Health, said: "As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health. We are devastated that we weren’t able to keep people’s information safe.
"While this was illegal and the work of cybercriminals, it was our responsibility to keep people’s data safe, and we’ve failed to do that."
Tū Ora holds information dating back to 2002 on approximately 1 million individuals from the greater Wellington, Wairarapa, and Manawatu regions. Tū Ora does not hold GP notes, which are held by individual medical centers.
The organization is one of 30 PHOs that collect data from medical centers, then analyze it to ensure patients are screened for diseases like cancer and receive treatment for chronic conditions, including diabetes.
"We don’t know the motive behind the attacks, and we cannot say for certain whether or not these have resulted in any patient information being accessed, but we have laid a formal complaint with police," said Hefford. "Experts say it is likely we will never know. However, we have to assume the worst, and that is why we are informing people."
New Zealand's director-general of health, Dr. Ashley Bloomfield, said: "We have been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.
"This work is ongoing, and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."
Elad Shapira, head of research at Panorays, commented that the best way for hackers to reach sensitive and confidential information is often through third parties, who can access data but lack the adequate security to guard it.
He said: "For this reason, assessing and continuously monitoring healthcare organizations' third-party security is critical."
The personal information of 92 million Brazilian citizens has been discovered for sale to the highest bidder on an underground forum auction.
According to BleepingComputer, the auction is present on multiple dark web marketplaces that can only be accessed by paying a fee or via an invitation from someone who is already on the inside.
The information is being sold as a 16GB database in SQL format and has a starting price of $15,000 and a step-up bid of $1,000. According to its seller, X4Crow, the records include names, dates of birth, taxpayer IDs, and some address details.
A sample of the database, which was seen and verified as genuine by BleepingComputer, also contained information relating to gender and the names of individuals' mothers.
The origin of the database is unclear, though the inclusion of the taxpayer IDs and the seller's claims that it contains the unique information of 92 million Brazilian citizens could indicate that it's a government database of the approximately 93 million Brazilians who are currently employed.
In addition to offering the data for sale, X4Crow claims that they can retrieve data available in national identification documents, such as ID cards and driving licenses, together with phone numbers, email addresses, previous addresses, professions, education levels, and vehicles. And all they need to do it is the individual's full name, taxpayer ID, or phone number.
Under Article 18 of the Brazilian General Data Protection Law ("Lei Geral de Proteção de Dados" or "LGDP"), consumers have rights relating to their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated. Unfortunately, the law does not go into effect until August 15, 2020, a six-month extension from the previous February 2020 date.
Jonathan Deveaux, head of enterprise data protection with comforte AG, believes that in the future, companies may rely more on methods like tokenization to protect valuable consumer data.
He said: "An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization.
"Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps."
Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach.
The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.
Third-party consumer sites, including weleakinfo.com and haveibeenpwnd.com, were independently warning consumers of the breach as early as July 13, 2019, but the incident was not officially reported by CafePress to their customers until last week.
Data exposed by the breach included email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes.
The suit has been filed by consumer-rights law firm FeganScott, which alleges that CafePress failed to employ best practices when alerting customers of the data breach. According to the complaint, CafePress’ first notifications appeared on its website on September 5, but the company did not directly notify its customers until October 2, 2019.
"As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew—or should have known—about the breach and failed to warn their customers that their credit card information and Social Security numbers could be for sale to the highest bidder on the dark web," said Beth Fegan, a founder of FeganScott.
It is further alleged that CafePress failed to offer adequate protection to its customers by neglecting to update security software that was widely known to be flawed.
"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security," said Fegan. "Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep."
The suit, filed today in US District Court in Illinois, seeks to represent all US consumers who were impacted by the breach. Consumers who are interested in learning more about this class-action suit can contact firstname.lastname@example.org.
UK Home Secretary Priti Patel and US Attorney General William Barr have signed a bilateral agreement paving the way for UK and US law enforcement agencies to obtain data more quickly from electronic service providers operating in each jurisdiction.
According to Julian Hayes and Michael Drury at BCL Solicitors, this “will inevitably be one way traffic, expediting the UK’s acquisition of evidence from US tech giants such as Facebook, Google and Twitter in the fight against serious crime, including terrorism and child abuse.”
According to the FT, the deal will compel US technology companies including Facebook, Google and Twitter to hand over the content of emails, texts and direct messages to British law enforcement bodies, and require the same of UK companies holding information sought by US investigators.
It currently takes police and security services anything from six months to two years to request and access electronic data, under the “mutual legal assistance” treaty between the US and UK governments. “Under the new arrangements, a UK Judge can issue the police, SFO and other specified with an Overseas Production Order, bypassing cumbersome mutual legal assistance procedures and, in principle, obtaining electronically stored data from the US within just seven days,” Drury and Hayes said.
The treaty is based on the US CLOUD Act 2018 and the UK’s Crime (Overseas Production Orders) Act 2019. The agreement still requires ratification by the US Congress and is to be presented to Parliament.
While this has been welcomed by some organizations, including the NSPCC, which described the new arrangements as “a hugely important step forward,” the bilateral agreement has been criticized on the basis that it potentially erodes key rights. “The risk is that, in the rush to comply within tight time frames, tech companies might be required to hand over data to which law enforcement authorities have no right,” Drury and Hayes said.
They also questioned whether service providers will be expected to scrutinize the order to ensure that legal and procedural requirements have been adhered to, and asked how the requirements of the new arrangements will be reconcilable with the service providers’ desire to provide encrypted services?
Thales and Verint have announced the release of The Cyberthreat Handbook, a report designed to provide insights into the most significant groups of global cyber-attackers through detailed rating cards.
The two companies combined to carry out a year-long investigation into the current cyber-threat landscape, observing attack techniques, targeted sectors and attack motives.
The research details the activities of approximately 60 major groups of cyber-attackers throughout the world, discovering that almost half of the groups analyzed were state-sponsored, often aiming to steal sensitive data from targets of geopolitical interest.
Just over a quarter were named as ideologically-motivated hacktivists, followed by financially-driven cyber-criminals (20%) and cyber-terrorists (5%).
The Cyberthreat Handbook warned that all the world’s major economic, political and military powers are priority targets of cyber-attackers, and that the sectors most targeted are States and their defense capabilities, followed by the financial sector, energy and transportation.
It was also noted that a growing number of groups of attackers are now focusing on vulnerabilities in the supply chain, and in particular on smaller partners, suppliers and service providers that are used as Trojans to access major targets.
Marc Darmon, executive vice-president, secure communications and information systems, Thales, said: “The Thales and Verint teams are immensely proud to release this report today as part of its technology and domain expertise cooperation. Unique in its breadth and depth, it is the culmination of many months of research, investigation and painstaking analysis and correlation of relevant data. As cyber-threats proliferate and evolve, cybersecurity clearly has a major role to play, particularly for critical infrastructure providers.”
Elad Sharon, president, Verint Cyber Intelligence Solutions, added: “This report generates unique insights and knowledge to cyber and security experts to mitigate and foresee cyber-attacks.”
More than three-quarters (77%) of UK workers claim to have never received any form of cyber-skills training from their employer, according to research from Centrify.
The company surveyed 2000 fulltime professional services workers in the UK, discovering that along with the notable absence of training aforementioned, 69% of those polled lack confidence in their own ability to keep their data safe and secure.
These findings come at the beginning of European Cyber Security Month, an EU awareness campaign that aims to promote cybersecurity among citizens and organizations, highlighting the importance of information security and the steps that can be taken to protect data online.
Well, it seems as though there is still significant work to do in this regard; 27% of respondents admitted to using the same password across multiple accounts, whilst 14% keep passwords recorded in unsecured notebooks.
Experts warned that such a lackluster approach to critical cyber-awareness could land employers in hot water.
Donal Blaney, cyber-law expert, Griffin Law said: “Ignorance of the law is no defense. Company directors and business owners owe it to themselves, their staff, their shareholders, and their customers to know how to protect their businesses and their customers’ data. They will only have themselves to blame if this blows up in their face one day.”
Andy Heather, VP, Centrify added:“In an age where cyber-attacks have emerged as one of the most ruthless and successful forms of crime that can be committed against a business on a large scale, it is astounding to hear that so many UK companies neglect to instill even the most basic cybersecurity measures in their employees.”
Ireland is cementing its reputation as an international security hub after four companies announced 400 new cybersecurity jobs in the Emerald Isle in the past three weeks.
Yesterday, American insurance company Aflac Incorporated announced that it will be opening a new Global IT and Cybersecurity Innovation Center as part of a multimillion-dollar investment in Northern Ireland.
Belfast has been chosen as the location of the new center, which will create 150 new jobs over the next five years, with an average salary of $55,500.
“We conducted extensive research in Europe to identify a location that not only has the expertise in IT development and cybersecurity to support our business strategy, but also complements our company culture. We believe we have found that here," said Virgil Miller, executive vice president and chief operating officer of Aflac US.
Belfast has also been chosen as the location of Contrast Security's new development and delivery center. The DevSecOps company's new facility, announced at the end of September, will bring 120 new jobs to the local economy.
Cybersecurity firm MetaCompliance said on September 30 that it would be creating 70 new jobs in the Northern Irish city of Derry as part of a $5.5 million global expansion plan. The new positions will focus on developing cloud-based solutions for the cybersecurity learning market.
Also in September, American cybersecurity consulting firm Security Risk Advisors opened its European Headquarters and Security Operations Centre in the southern Irish city of Kilkenny. The site will create 52 jobs over the next five years.
This year's growth in Ireland's cybersecurity sector follows reports in December 2018 that cybersecurity firm Imperva would be creating a new base in Belfast that would generate 220 new jobs.
Invest Northern Ireland has played a key role in this flurry of investment, supporting Imperva's new base with £1.4m, the MetaCompliance expansion with £695,000, and the new Contrast Security center with £786,500 of assistance. The company also offers support through its Skills Growth Programme.
With so many new jobs being created, the only thing that could prevent Ireland from becoming the biggest star on the international cybersecurity stage is a lack of housing and skilled labor.
Speaking to the Irish Examiner after the FutureSec conference in Cork on September 24, Ronan Murphy, CEO of multinational cybersecurity firm SmartTech247, said: "The housing crisis is seriously affecting our ability to scale. We're building our own very sophisticated AI and machine learning which we will distribute globally. It's pretty cool that we're doing it from Cork, but there's nowhere to live."
Also speaking to the Irish Examiner post-conference, Koos Lodewijkx, vice president of IBM, which has offices in Dublin, Cork, and Galway, said: "It is a challenging time, and staffing is still in short supply. We would like to expand, but it's hard to find employees."
A former employee of American Express is under investigation by the police for allegedly accessing customer information with the intent to commit fraud.
The exact details of the incident have not been disclosed, but the employee is thought to have wrongfully accessed the personal information of Amex customers in America in an attempt to open accounts at other financial institutions.
Amex began notifying customers of the data breach by letter on September 30. Customers who received the letter were told "as a result of the incident, your name, current or previously issued American Express Card account number, physical and/or billing address, date of birth, and Social Security number were compromised."
When contacted for comment, Amex would not say precisely how many customers had been affected by the breach but stated that "only a small number of our customers were impacted."
Affected cardholders have been asked by Amex to vigilantly monitor their account statements for the next two years for signs of fraudulent charges. However, Amex has stated that customers whose information was wrongfully accessed will not be held liable for any fraudulent charges.
In the letter sent to customers to notify them of the breach, Amex offered impacted cardholders a free two-year membership with Experian's identity theft and resolution service IdentityWorks by way of compensation. Customers who are already members are being offered the opportunity to extend their coverage for two years free of charge.
After informing them that their personal information was wrongfully accessed, the letter goes on to tell customers that they will need to entrust their Social Security number and current mailing address to the service provider if they wish to sign up for membership.
A spokesperson for American Express told Infosecurity Magazine: "Ensuring the security of our customers’ information is our top priority, and we are investigating this matter in close partnership with law enforcement.
"I would note that this was not a breach of American Express’ systems and the person in question is no longer an employee of American Express. In addition, only a small number of our customers were impacted, and those who are affected are being notified.
"As a reminder, our customers are not liable for any fraudulent charges on their American Express cards. Given this is an active criminal investigation, we can’t provide any further comment."
EA Games has leaked the personal data of 1600 gamers who registered to take part in a competition via the company's website.
Contenders signing up for the FIFA 20 Global Series competition were asked to enter personal information into what should have been a blank online form to verify their EA account details. But instead of being empty, the form's fields displayed the personal information of gamers who had already signed up for the soccer video game challenge.
Personal information compromised in the breach included email addresses, account ID numbers, usernames, and dates of birth.
Rather ironically, the breach occurred just hours after EA Games announced that users switching on two-factor authentication would get free access to an Origin Access Basic subscription for four weeks as part of the UK's National Cyber Security Month.
Gamers took to Twitter to vent their frustrations regarding the breach, with one gamer who was confronted with the personal data of a fellow competitor joking that he would send the player a birthday card.
Another gamer, whose personal information was leaked during the breach and who is on Twitter as @Kurt0411Fifa, tweeted: "Before I get to the absolute farce of that competitive bullsh*t, when you click the link register for verification you get other people's personal information!!!!!! WTFF, this is a new low even for this joke of a company."
It didn't take EA Games long to become aware of their balls-up, and the registration page was taken down yesterday, just 30 minutes after it was first put up.
In a statement regarding the breach released on Twitter yesterday, EA Games said: "We were able to root cause the issue and implement a fix to be clear that information is protected. We're confident that players will not see the same issues going forward."
The games publishing company also said it was taking steps to contact the 1600 gamers affected by the breach with more details and to protect their accounts.
When contacted for comment by Infosecurity Magazine, EA Games said: "We have issued a couple statements to our community on this topic but aren’t in a position to discuss further at this point. However, I will keep you updated if that should change or we make any further statements."
Registration for the competition remains closed but is expected to re-open in the next few days.
Morals and ethics should be considered when it comes to making decisions in cybersecurity.
Speaking at the Virus Bulletin 2019 conference in London, Ivan Kwiatkowski, security researcher at Kaspersky Lab, said that there are not a lot of discussions on ethics in cybersecurity, as the concept of white hat versus black hat is “the wrong way to think about things” as even the subject of ethical hacking rarely covers the issue of ethics.
Saying he was talking to people “who were thinking of doing something terrible but had not stopped to think about it yet,” he said that this a young industry and we had not developed a moral compass yet, and it is not an issue of maturity or diversity, but people rely on their personal intuition on the decisions that they face.
“Nobody wants someone to tell them right from wrong” he added, but he urged people to realize that “knowledge is power and if you control what people know about something, you can convince people.
“Infosec is about controlling what access people have to certain information.” He said that there are ethical dilemmas that people may face. such as:
- A legitimate hacking problem – that intelligence agencies and military attack organizations, and some nations set up a “surveillance apparatus which can be invaluable in preventing terrorism,” whilst others rely on “hacking back”, and some people carry the term of hacktivist and feel justified in hacking something or someone
- Vulnerability handling – when we find a vulnerability, Kwiatkowski said that we still need to reach an agreement on how to handle vulnerabilities. Some companies specialize in selling hacking tools and exploits, and swear that they only do business with governments with a good track record of democracy and human rights. However, he argued: “In some cases, there have been suspect decisions in that regard”
In the case of exploits being sold on the offensive market, he asked if it is a legal or moral issue, as moral decisions change over time. “All cultures may disagree on what morals are, we all have a moral code and maybe those questions are unsolvable and unescapable.”
He went on to say that we “owe it to ourselves” to determine what constitutes ethical behavior and what does not. Concluding, he recommended “allocating more attention to ethics” and said that it was time we adopted a global code of conduct too, and cited the EFF as being able to push that standard.
He also called on conference organizers to consider this, and to concentrate less on celebrities “especially those celebrities whose success may be traced back to suspicious behavior” and instead, he recommended conference organizers to invite philosophers and “victims of cyber-abuse to tell their stories” to let us know our shortcomings.
Speaking at the Virus Bulletin 2019 conference in London, members of the Cyber Threat Alliance discussed the benefits of sharing intelligence.
Led by moderator and Cyber Threat Alliance COO Heather King, panelists Kathi Whitbey, program manager of cyber threat intelligence information Sharing at Palo Alto Networks and Jeannette Jarvis, director product marketing at Fortinet, said that there are clear benefits to sharing data, as Jarvis explained: “There is the opportunity to expand and share more deeper intelligence.”
Jarvis said that there is an intention with the Alliance to “build equal or better ecosystems beyond what our adversaries are doing, and to know what they are sharing” and this can better protect customers with “actionable intelligence.”
Whitbey added that the founding members believed in the “power of collaboration and sharing.” Asked by King how the Cyber Threat Alliance is unique, Jarvis admitted that all of the members have different missions, but the collaborative nature means that companies can get enough data to get the complete picture of an issue.
Pointing at the WannaCry incident in 2017, Whitbey said that within hours they knew what each other was seeing and what the issue was, and “we were able to paint a picture as everyone provided what they had and we could see all the information in real time.”
Jarvis admitted that “no one has all the information” and by sharing they get the complete picture and fill in the gaps.
The panellists explained that the members don’t have the same technology, customers or are in the same regions, “but if we collaborate we all get into the environment,” Whitbey said.
Jarvis reflected on a previous role at an aerospace company, saying that it was clear from working in that role “that we need to be more connected to help customers.”
Despite the main infections taking place two and half years ago, a large number of computers remain vulnerable to the WannaCry ransomware.
Speaking to Infosecurity at the Virus Bulletin 2019 conference in London, Sophos security researcher Chet Wisniewski said that there are large numbers of businesses who did not apply the patches, released in March and after the infection in May 2017, so machines still remain vulnerable. “That’s what surprised me, with the amount of hype and the amount of news around that vulnerability, it shows that even standing on the rooftop and lighting your hair on fire is not going to be enough for people to take action,” he said.
“The good news is that there is an accidental vaccination which means that the good people won’t get infected with it,” he said. He explained that a version of WannaCry drops a payload, but that payload is currently corrupted and if another infection is attempted, if that file is detected at all, the infection will not take place.
“Fortunately, all of these copies of WannaCry we’re seeing are neutered,” he added. “It’s not hurting anyone, it’s just spreading around and making a lot of noise.”
Wisniewski went on to say that people are still not realizing that “these weaponized exploits are really dangerous, and BlueKeep has been an interesting trial of this.” In that case, he said that wormable exploits are typically published within hours, but in the case of BlueKeep that has only been added to Metasploit and other companies are using it as a penetration testing tool.
“If people have not patched since 2017, if a BlueKeep publicly exploitable worm was released, instantly millions of machines would be impacted again, and we would be in the same boat as when WannaCry was spreading around,” he said. “Every single one of those machines would be vulnerable as they have not been patched in two years, not to mention all of those that have been patched since.”